[syslog-ng] Correct Usage of Multiple 'pattern' Databases
David Hauck
davidh at netacquire.com
Fri Apr 11 22:10:37 CEST 2014
Hi Viktor,
On Friday, April 11, 2014 1:01 PM, syslog-ng-bounces at lists.balabit.hu wrote:
> Hi David!
>
> If a log message does not match any pattern for a parser, syslog-ng
> db-parser sets its .classifier.class to "unknown" regardless of the field's previous state.
> So if it matched on a previous parser, the next parser will overwrite
> it if it doesn't match on that. I think it's a bug rather than a
> feature, so could you please open an issue for that on github?
Sure, I can do that (although I can imagine a potential valid semantic for wanting this to behave either way).
> You can merge patterndb .pdb files easily with "pdbtool merge"
> command, which is shipped with syslog-ng. It's simpler than having junctions :).
:) OK, that's an option too (although I also like splitting these out into individual files and not having to run the merge whenever an individual file is modified).
Cheers,
-David
More information about the syslog-ng
mailing list